Uploaded image for project: ' AGL Development'
  1. AGL Development
  2. SPEC-306

built-in CVE checker in YP 2.3

WatchersRequirement Yogi links...
    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Eel
    • Fix Version/s: Flounder
    • Component/s: None
    • Labels:

      Description

      from YP mailinglist ...

      > ----Original Message----
      > Subject: cve-checker tool
      >
      > Hi guys,
      >
      > I have some questions regarding cve-check tool. I don't find anything
      > about this tool in Yocto
      > 2.2 release, dose documentation mention this tool and how to use it?
      >
      > Is this tool planned to be integrated with daily build so the Yocto project
      > can detect Not addressed CVEs automatically?
      >
      > Mariano:
      > Does this tool look at CVE tag inside the recipe as well or only checks the
      > package version?
      >
      > Can this tool be used together with "meta-security-isafw" and get a fancy
      > report?

      There are some useful info in the cve-check.bbclass:

      #In order to use this class just inherit the class in the

      1. local.conf file and it will add the cve_check task for
      2. every recipe. The task can be used per recipe, per image,
      3. or using the special cases "world" and "universe". The
      4. cve_check task will print a warning for every unpatched
      5. CVE found and generate a file in the recipe WORKDIR/cve
      6. directory. If an image is build it will generate a report
      7. in DEPLOY_DIR_IMAGE for all the packages used.

      I see following logs are generated:
      ./unzip/1_6.0-r5/cve/cve.log
      ./gnutls/3.5.3-r0/cve/cve.log
      ./glibc/2.24-r0/cve/cve.log
      ./glibc-initial/2.24-r0/cve/cve.log
      ./foomatic-filters/4.0.17-r1/cve/cve.log
      ./bzip2/1.0.6-r5/cve/cve.log
      ./libxml2/2.9.4-r0/cve/cve.log
      ./perl/5.22.1-r0/cve/cve.log
      ./expat/2.2.0-r0/cve/cve.log
      ./flex/2.6.0-r0/cve/cve.log

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            scottm Scott Murray
            Reporter:
            jsmoeller Jan-Simon Moeller
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: